It is well known that DRAM chips can retain data for seconds after being powered down (or DIMM removal from socket). If DIMM module is cooled down data can be retained for minutes. It opens up possibility for an attacker with access to the machine to extract vital information (password, cryptographic key). It can be done by computer power cycling and reboot from bootable USB source. Memory content, including sensitive data like password is automatically dumped to USB. Another option is DIMM cooling down to −50 deg. C., extraction of DIMM and insertion to a computer under attacker's control. Both methods are commonly known as a “cold boot attack”. There are no efficient defense that is acceptable for low end devices.
Experiments performed by Princeton researchers and published in the article:
“Lest We Remember: Cold Boot Attacks on Encryption Keys”
J. Alex Halderman, Seth D. Schoent†, Nadia Heninger, William Clarkson, William Paul‡, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten shows that DIMM (Dual Inline Memory Module) can retain data for tens of seconds after power is disconnected and up to few minutes if DIMM DRAM chips are cooled down to −50 deg. C. by spraying compressed air from inverted can. Thus an attacker has sufficient amount of time to remove DIMM from the computer and insert it to the computer under his control. Thus, either power cycling and boot from USB or physically removing DIMM enable retrieving of sensitive data including password/cryptographic key. Similar experiments were performed using Altera DE1 development board and Quartus II software that enables control (read, write and power cycling) of SRAM and DRAM memory chips.